The UK Cyber Security Challenge and Business Email Compromise
Businesses in the UK are today suffering a wave of cyberattacks in the form of “Business Email Compromise” (BEC) and it is essential to know how to gear up your board for cyber attacks.
The UK is second in the world after the US for the number of attacks, according to the FBI Internet Crime Report, accounting for 26 per cent of the total global number of emails, which amount to nearly 90,000 per day, and cost a total of $1.3 billion.
Here is a definition of how business email compromise works, according to Europol:
“A fraudster emails posing as a high-ranking figure within the company, usually the CEO or CFO. They require an urgent payment. The employee is requested not to follow the regular authorisation procedures – urgency and confidentiality are invoked. Instructions on how to proceed may be given later, by a third person or via email. They use language such as: ‘The company trusts you,’ or ‘I am currently unavailable, but please proceed rapidly.’ The criminals have already hacked the corporate email system, and so have a good knowledge of the company. The employee targeted usually makes the payment, most often to international banks in the third world.”
It is always good practice to have a cyber security expert on your board. In the UK, Lloyds Bank reported that business email compromise scams have risen over 58 per cent in the last year. An alarming 53 per cent of business email compromise victims reported that scammers had impersonated their bosses and 52 per cent reported receiving emails from suppliers that had been impersonated.
“Having been in the UK computer security field for over 32 years, never in my career have I heard more complaints about big money lost due to BEC phishing scams than this year,” writes consultant Roger Grimes.
To improve an organisation’s security IQ, everyone needs to have a better understanding of where the risks are and what can be done to eliminate potential threats.
Read our white paper: Everything You Need to Know About Cyber Threats But Were Too Afraid To Ask
Cyber Threats – Criminals Use Role-Playing to Defraud
The cyber attackers who engage in this kind of phishing tend to assume roles that they think will help them gain credibility with potential victims. Security firm Symantec have noted that cyber attackers are building on previous ideas, getting more creative and using newer themes, such as:
- Requests to update salary or direct deposit account details;
- Requests for personal/work cellular/landline number to provide further instructions;
- Spoofed email, call or text from a person in authority requesting that the victim make certain kinds of purchases in the company name.
Symantec also describes the typical scenario: Playing the role of a high-level executive, the criminals often make inquiries about same-day wire payment. What’s the exact process, the pseudo-CEO asks the employee (usually in accounting or procurement). The scammer then asks about the limit for wire transfers.
With that information, the criminals have the employee set up a payment to a vendor. They tell the potential victim that there has been an issue with the direct deposit or payments account, and that they need to update their account details.
A standard ploy is that the ‘CEO’ can’t receive calls, so that instructions will be provided by another ‘company executive.’ This person sets up the fake deposit instructions, which actually send the funds to the criminals’ account far away.
Business Email Compromise and Criminals Fake Invoices
Many of the biggest BEC scams have involved fraudulent invoices. Most people have received fake invoices requesting payment for things like new computers and printer ink arriving out of nowhere.
“But BEC scammers are becoming more brazen,” warns Grimes, who relates the examples of BEC scams that hit Google and Facebook, costing more than $100 million. “The Google and Facebook BEC scammer learned the amount that the two companies routinely paid for computer equipment and created new (legal) companies with very similar sounding names and with real bank accounts. That way, when the scammer got paid by corporate check, he could cash them in his new company’s bank accounts, wait for them to clear, and then pocket the money using a withdraw. He got away with the scam for years.”
Keeping your board safe:
Read our white paper: How Board Directors Can Lead the Digital Transformation in the Boardroom
Criminals May Adopt Artificial Intelligence for BEC
Symantec predicts that, as artificial intelligence (AI) and machine learning (ML) become more developed, BEC scammers are already adopting these technologies and will be using them in the near future to make their attacks even more convincing.
“Both ML and AI could be used to power audio-visual ‘deepfakes’ that target or impersonate C-Suite executives. Already we have seen deepfakes that use only audio, as it is easier to leverage than both audio and visual elements.”
A BEC scammer using ML/AI could target an organisation’s senior financial executive or employee who has direct access to the CEO and who could authorise money transfers, Symantec says. “When the employee tries to verify the request, the scammer might use audio featuring the CEO — such as earning calls, YouTube footage, TED talks, and other previous recordings — to fool the employee into believing it is indeed the CEO’s voice on the other end ordering the transfer. The employee could then execute the request fully believing it was legitimate. While this is a scary prospect, future BEC scam scenarios may just play out this way.” Managing cyber threats of this level of skill and magnitude requires the best security available. Diligent Governance Cloud provides just that kind of protection.
Diligent Governance Cloud is the Leading Platform for Secure Board Meeting Software
As part of the Governance Cloud ecosystem, every Diligent tool is designed for optimum protection from hacks, cyber threats and data breaches. With the Diligent Boards board portal, Company Secretaries are able to customise access to committees and meeting documents, keeping data contained to authorised users with the ability to archive and “wipe” data according to board requirements.
With so much at stake and so much to oversee, boards need the assistance of board software to help them address the issue of improving corporate governance practices. Diligent Boards and the integrated suite of modern governance tools in Governance Cloud is the perfect solution for boards working on their board governance models.
As organisations grow more complex and regulations more stringent, the scope of governance responsibilities evolves. The Governance Cloud allows boards of directors to meet the demands in the boardroom and beyond with the ability to select the products they need that help them perform their best and work within their allotted budgets.
December 2, 2019
UK Section 172, Directors and Company Secretaries Responsibilities
What is Section 172 of the Companies Act: What Has Changed? Section 172 of the UK Companies Act 2006 makes clear that every director must make a good faith effort to promote the success of the company. It goes…
November 19, 2019
UK Shareholders Rights: Report Highlights Change Coming to Executive Pay
Stakeholders Take Center Stage in Diligent’s Report Boards of directors consider shareholder rights and stakeholder needs as key priorities, the new report – Stakeholders Take Center Stage: Director Views on Priorities and Society by The Diligent Institute in partnership with the Rock…
November 18, 2019
Best Practice For Board Committee Charters
In the UK, the role of the board committee has vastly expanded in recent years. With that increase in importance and scope, the need for board committees to work from clearly established charters that delineate their responsibilities has become critical. The importance of well-defined responsibilities for board…